When it comes to secure backups, your thoughts might automatically turn to various forms of backup encryption. Although encryption can go a long way toward securing your backups, there is a lot more to backup security than just encrypting data.
Service account usage
Some backup software products use a service account, which is a user account that is used to provide the security context under which a backup is run. Administrators should take steps to keep service accounts from becoming a potential security hole, because service accounts typically have access to the same data that the backup software is backing up.
Not every backup product uses service accounts, but there are some general best practices for those that do. First, avoid using a service account to run backup agents if at all possible (most modern backup agents do not require a service account). It's better to use the Local System account instead.
If the backup server requires a service account to communicate with protected servers or backup targets, then it is best to use a dedicated service account with a very strong password.
Some administrators like to create a multi-purpose service account for the sake of convenience. For example, a single account might be used for typical backups, SharePoint, etc. From a security standpoint, however, doing so is a very bad idea. Service accounts are typically delegated special permissions that sometimes exceed those of an administrative account.
If a single service account is used for multiple applications, then each application will grant the service account the necessary permissions needed for that specific application. Because multiple applications grant permissions to a single account, the account ends up receiving far more permissions than are needed for any one single application. As such, the service account ends up becoming a security risk.
In addition to using dedicated service accounts, there are a few other best practices that you should follow. First, be sure to protect the service account with a strong password.
Next, give the service account an inconspicuous name. If you were to name a service account BACKUP-SERVICE-ACCOUNT, then anyone who happens to be poking around your network will realize that the account is used as a service account for your backup software. You don't want to provide a potential attacker with a clear target. It is better to give the service account an inconspicuous name that blends in with the other naming conventions used on your network.
Most organizations have multiple employees who are able to perform backup and/or restoration operations, even if one person handles the bulk of the day-to-day operations.
Given the sensitivity of the data that is being backed up, be sure to put an appropriate level of audit logging into place and to practice the use of lowest privilege.
Some organizations use a designated backup operator account rather than allowing those responsible for performing backups to log in using their user accounts. The idea is that backup operations typically require permissions beyond those that are normally granted to standard users. To minimize the risk of a security breach, backup operators in such organizations are instructed to use standard user accounts for day-to-day usage and to only use the "backup operator" account for performing backup operations.
Although it is a good idea for the IT staff to use standard user accounts whenever possible, using one single "backup operator" for all backup and recovery operations presents security risks of its own. If multiple staff members use that account, then it becomes impossible to track who performed which backup or recovery operations. Audit logging can only be effective if you have a way of mapping an action to the person who performed it. So, it is a good idea to create two user accounts for each person who has access to the backups -- a standard account and a backup operator account that is uniquely theirs.
Once unique accounts have been created for anyone who will have access to the backups, the next step is to assign each person an appropriate role according to the concept of least privilege access. For example, if your helpdesk staff is occasionally asked to restore files for end users, then they obviously need restoration rights, but they do not need the rights to create backups.
One of the most important aspects of secure backups is physical security. This is especially true for organizations that use removable media for backups. Simply put, your backup servers, tape drives and so forth should be kept behind a locked door. Ideally, the door should use electronic locks that keep track of who has entered the room and when. Security cameras can also be used as a deterrent to tape theft.
Even if tapes and tape drives are kept in a locked room, take additional measures to limit the opportunity for media theft. For example, you might schedule removable media backups in a way that ensures that the backup completes at a time when someone will be available to immediately move the media to a vault or to ship the media off-site. You don't want a backup tape sitting in a drive all weekend when nobody is in the office.
As you can see, there is a lot more to backup security than just encrypting data. Even though encryption is important, it is not a substitute for strong physical security and proper account usage.
About the author
Brien M. Posey, MCSE, has received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server. Brien has served as CIO for a nationwide chain of hospitals and has been responsible for the department of information management at Fort Knox. You can visit Brien's personal website at www.brienposey.com.